SQL Database

Microsoft Azure
Azure SQL Database is a cloud-based relational database service that offers a fully managed database platform that is highly available, scalable, and secure. It supports multiple deployment options, provides automatic patching, backup and recovery, high availability, and disaster recovery capabilities, and includes built-in intelligence and advanced analytics features. Azure SQL Database offers different service tiers with varying performance levels, storage capacities, and prices to meet various workload requirements, and supports several programming languages and connectivity options.
Terraform Name
SQL Database

The following arguments are supported:

  • name - (Required) The name of the database. Changing this forces a new resource to be created.
  • resource_group_name - (Required) The name of the resource group in which to create the database. This must be the same as Database Server resource group currently. Changing this forces a new resource to be created.
  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
  • server_name - (Required) The name of the SQL Server on which to create the database. Changing this forces a new resource to be created.
  • create_mode - (Optional) Specifies how to create the database. Valid values are: Default, Copy, OnlineSecondary, NonReadableSecondary, PointInTimeRestore, Recovery, Restore or RestoreLongTermRetentionBackup. Must be Default to create a new database. Defaults to Default. Please see Azure SQL Database REST API
  • import - (Optional) A Database Import block as documented below. create_mode must be set to Default.
  • source_database_id - (Optional) The URI of the source database if create_mode value is not Default.
  • restore_point_in_time - (Optional) The point in time for the restore. Only applies if create_mode is PointInTimeRestore, it should be provided in RFC3339 format, e.g. 2013-11-08T22:00:40Z.
  • edition - (Optional) The edition of the database to be created. Applies only if create_mode is Default. Valid values are: Basic, Standard, Premium, DataWarehouse, Business, BusinessCritical, Free, GeneralPurpose, Hyperscale, Premium, PremiumRS, Standard, Stretch, System, System2, or Web. Please see Azure SQL database models.
  • collation - (Optional) The name of the collation. Applies only if create_mode is Default. Azure default is SQL_LATIN1_GENERAL_CP1_CI_AS. Changing this forces a new resource to be created.
  • max_size_bytes - (Optional) The maximum size that the database can grow to. Applies only if create_mode is Default. Please see Azure SQL database models.
  • requested_service_objective_id - (Optional) A GUID/UUID corresponding to a configured Service Level Objective for the Azure SQL database which can be used to configure a performance level. .
  • requested_service_objective_name - (Optional) The service objective name for the database. Valid values depend on edition and location and may include S0, S1, S2, S3, P1, P2, P4, P6, P11 and ElasticPool. You can list the available names with the CLI: shell az sql db list-editions -l westus -o table. For further information please see Azure CLI - az sql db.
  • source_database_deletion_date - (Optional) The deletion date time of the source database. Only applies to deleted databases where create_mode is PointInTimeRestore.
  • elastic_pool_name - (Optional) The name of the elastic database pool.
  • threat_detection_policy - (Optional) Threat detection policy configuration. The threat_detection_policy block supports fields documented below.
  • read_scale - (Optional) Read-only connections will be redirected to a high-available replica. Please see Use read-only replicas to load-balance read-only query workloads.
  • zone_redundant - (Optional) Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones.
  • tags - (Optional) A mapping of tags to assign to the resource.

The import block supports the following:

  • storage_uri - (Required) Specifies the blob URI of the .bacpac file.
  • storage_key - (Required) Specifies the access key for the storage account.
  • storage_key_type - (Required) Specifies the type of access key for the storage account. Valid values are StorageAccessKey or SharedAccessKey.
  • administrator_login - (Required) Specifies the name of the SQL administrator.
  • administrator_login_password - (Required) Specifies the password of the SQL administrator.
  • authentication_type - (Required) Specifies the type of authentication used to access the server. Valid values are SQL or ADPassword.
  • operation_mode - (Optional) Specifies the type of import operation being performed. The only allowable value is Import.

The threat_detection_policy block supports the following:

  • state - (Optional) The State of the Policy. Possible values are Enabled, Disabled or New.
  • disabled_alerts - (Optional) Specifies a list of alerts which should be disabled. Possible values include Access_Anomaly, Sql_Injection and Sql_Injection_Vulnerability.
  • email_account_admins - (Optional) Should the account administrators be emailed when this alert is triggered? Possible values are Disabled and Enabled.
  • email_addresses - (Optional) A list of email addresses which alerts should be sent to.
  • retention_days - (Optional) Specifies the number of days to keep in the Threat Detection audit logs.
  • storage_account_access_key - (Optional) Specifies the identifier key of the Threat Detection audit storage account. Required if state is Enabled.
  • storage_endpoint - (Optional) Specifies the blob storage endpoint (e.g. This blob storage will hold all Threat Detection audit logs. Required if state is Enabled.

Associating resources with a
SQL Database
Resources do not "belong" to a
SQL Database
Rather, one or more Security Groups are associated to a resource.
SQL Database
via Terraform:
The following HCL allows you to manage an Azure SQL Database

resource "azurerm_resource_group" "example" {
 name     = "example-resources"
 location = "West Europe"

resource "azurerm_sql_server" "example" {
 name                         = "myexamplesqlserver"
 resource_group_name          =
 location                     = azurerm_resource_group.example.location
 version                      = "12.0"
 administrator_login          = "4dm1n157r470r"
 administrator_login_password = "4-v3ry-53cr37-p455w0rd"

 tags = {
   environment = "production"

resource "azurerm_storage_account" "example" {
 name                     = "examplesa"
 resource_group_name      =
 location                 = azurerm_resource_group.example.location
 account_tier             = "Standard"
 account_replication_type = "LRS"

resource "azurerm_sql_database" "example" {
 name                = "myexamplesqldatabase"
 resource_group_name =
 location            = azurerm_resource_group.example.location
 server_name         =

 tags = {
   environment = "production"

SQL Database
via CLI:

az sql db create --name
                [--assign-identity {false, true}]
                [--catalog-collation {DATABASE_DEFAULT, SQL_Latin1_General_CP1_CI_AS}]
                [--compute-model {Provisioned, Serverless}]
                [--ledger-on {Disabled, Enabled}]
                [--license-type {BasePrice, LicenseIncluded}]
                [--preferred-enclave-type {Default, VBS}]
                [--read-scale {Disabled, Enabled}]
                [--sample-name {AdventureWorksLT}]
                [--zone-redundant {false, true}]


az sql db create -g mygroup -s myserver -n mydb --service-objective S0

aws cost
Direct Cost
Indirect Cost
No items found.
Best Practices for
SQL Database

Categorized by Availability, Security & Compliance and Cost

Access allowed from VPN
No items found.
Auto Scaling Group not in use
No items found.
Connections towards DynamoDB should be via VPC endpoints
No items found.
Container in CrashLoopBackOff state
No items found.
EC2 with GPU capabilities
No items found.
EC2 with high privileged policies
No items found.
ECS cluster delete alarm
No items found.
ECS task with Admin access (*:*)
ECS task with high privileged policies
No items found.
EKS cluster delete alarm
No items found.
ElastiCache cluster delete alarm
No items found.
Ensure Container liveness probe is configured
No items found.
Ensure ECS task definition has memory limit
No items found.
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Microsoft Azure